The Right Resources for Critical Infrastructure
As one of our first steps, we must build the underlying architecture to conduct cyber risk analysis for critical infrastructure. Critical infrastructure is supported by a dependent web of hardware, software, services and other connected components.
Take the example of supply water, which CISA’s National Risk Management Center (NRMC) has designated a National Critical Function. Water supply and treatment interact with utilities; assets such as reservoirs; and internet-connected technology. These systems connect and depend on one another to operate.
However, there is no engine that captures all these data layers in one dynamic analytic tool. Working with sector-specific agencies such as the Environmental Protection Agency, the NRMC is building a National Critical Functions risk architecture to be that engine.
This is a complex and challenging endeavor. In time, however, this system of systems will enable us to consistently harness data and insight to answer key cyber risk management questions based on an understanding of potential impact.
Supporting efforts to better grasp the impact of cyber risk across the critical infrastructure community will involve developing usable metrics to quantify cyber risk in terms of functional loss.
The goal is to more precisely understand the relationship between threat, vulnerability and consequence on critical functions, and to bring that thinking into cost-benefit analysis for mitigating risks.
The emergence of security ratings has increased the use of cyber risk quantification to calculate and measure cyber risk exposure. These security ratings provide a starting point for companies’ cybersecurity capabilities and help elevate cyber risk to the level of board decision-making.
Our goal is to build off existing efforts, bring these partners into the fold and welcome others who are eager to add value to these important discussions to help attach cyber metrics into the national security decision-making space.
Mitigating Cyber Risk Through the Right Metrics
Also central to our venture to reduce systemic cyber risk is finding concentrated sources of risk that, if mitigated, provide heightened risk management bang for the buck.
One example is software risk. We’ve seen how a nonsecure software supply chain and increasing reliance on open-source libraries can expose us to the risk of a digital pandemic of sorts. The ubiquity of coding flaws across connected systems can create an opportunity to affect National Critical Functions.
This risk is no longer hypothetical.
Over the past two years, we’ve worked through a public-private Information and Communications Technology (ICT) Supply Chain Risk Management Task Force to identify supply chain threats, including those derived from software, and to develop guidance and tools to help ICT companies and their customers, including the federal government, reduce risk from software supply chains.
Our mission demands that we better understand and address systemic cyber risk. The steady drumbeat of the importance of cyber essentials must be complemented with a more advanced understanding of how cyber risk manifests itself in an interconnected world.